Add ansible playbook to deploy egeria (#4)

README.md

@@ -5,6 +5,7 @@ This repository contains the infrastructure code and development tools/scripts f
 ## What's inside the toolbox?
 
 - /demo-idp - Ansible playbook to deploy a production instance of keycloak, used by https://demoidp.trento.suse.com
+- /egeria - The trento PR environments dashboard, source code and ansible playbook
 
 
 

egeria/ansible/README.md

@@ -0,0 +1,53 @@
+# egeria Playbook - Deploy Egeria service
+
+This playbook deploys `egeria` the trento pr environments dashboard
+
+Supports Opensuse Leap 15
+
+This playbook is meant to run on trento pr environment machine, the playbook assumes nginx, docker, firewalld and all the playbook dependencies already being installed on the machine.
+
+### Required Playbook variables
+
+| Name                       | Description                                       |
+| -------------------------- | ------------------------------------------------- |
+| github_app_private_key       | Private Key of the github application used for api authentication |
+| github_app_id | Application id of the github application used for api authentication     |
+| github_installation_id    | Installation id of the github application used for api authentication        |
+| egeria_server_name    | Server name of the egeria service      |
+
+### Example inventory
+
+```yaml
+all:
+  children:
+    egeria-server:
+      hosts:
+        pr-machine:
+          ansible_host: "your-host"
+          ansible_user: "your-user"
+```
+
+### Playbook Usage
+
+Clone the repository.
+Use the playbook `playbook.yml` to install and configure egeria.
+
+Prior to running the playbook, tell ansible to fetch the required modules:
+```
+ansible-galaxy collection install -r requirements.yml
+```
+
+> **Note**: <br />
+> The `@` character in front of the `vars.json` path is mandatory. This tells `ansible-playbook` that the variables will not be specified in-line but
+> as an external file instead.
+
+Run the playbook:
+```
+ansible-playbook -i path/to/inventory.yml --extra-vars "@path/to/vars.json" playbook.yml
+```
+
+Having an inventory file called `inventory.yml` and a vars file called `extra-vars.json`, you could run the playbook
+
+```bash
+$ ansible-playbook -i inventory.yml --extra-vars @extra-vars.json playbook.yml
+```

egeria/ansible/group_vars/egeria-server.yml

@@ -0,0 +1,18 @@
+---
+proxy_nginx_vhost_filename: "egeria"
+proxy_nginx_vhost_http_listen_port: "80"
+proxy_nginx_vhost_https_listen_port: "443"
+proxy_egeria_upstream_name: "egeria"
+proxy_ssl_certificate_key_path: "/etc/letsencrypt/live/{{ egeria_server_name }}/privkey.pem"
+proxy_ssl_certificate_path: "/etc/letsencrypt/live/{{ egeria_server_name }}/fullchain.pem"
+egeria_listen_port: "4040"
+egeria_image: "ghcr.io/trento-project/egeria:rolling"
+enable_certbot_certificate_provisioning: "true"
+force_pull_images: "true"
+recreate_egeria_container: "false"
+proxy_nginx_conf_base_dir: "/etc/nginx"
+proxy_nginx_vhost_dir: "vhosts.d"
+proxy_nginx_conf_dir: "conf.d"
+proxy_nginx_user: nginx
+proxy_nginx_group: nginx
+proxy_nginx_service: nginx

egeria/ansible/playbook.yml

@@ -0,0 +1,102 @@
+# code: language=ansible
+---
+- name: Install thirdparties
+  hosts: egeria-server
+  become: true
+  pre_tasks:
+    - name: Check Leap Distribution compatibility
+      ansible.builtin.fail:
+        msg: "This playbook only runs on LEAP 15 or above. Detected: {{ ansible_distribution }} {{ ansible_distribution_version }}"
+      when: >
+        ansible_distribution != "openSUSE Leap" or
+        ansible_distribution_version is version('15.3', '<')
+
+  tasks:
+    - name: Install installation prerequisites
+      community.general.zypper:
+        name:
+          - gcc
+          - sudo
+          - git
+          - cronie # Certbot role cronjob renew
+        update_cache: true
+
+    - name: Start cronie service
+      ansible.builtin.service:
+        name: "cron"
+        state: started
+        enabled: true
+
+    - name: Install python prerequisites
+      community.general.zypper:
+        name:
+          - python3-setuptools
+          - python3-pip
+          - python3-pexpect
+          - python3-devel
+          - python3-rpm
+        state: present
+        update_cache: true
+
+
+- name: Configure egeria components
+  hosts: egeria-server
+  become: true
+  handlers:
+    - name: Restart nginx
+      ansible.builtin.service:
+        name: nginx
+        state: restarted
+  tasks: 
+    - name: Force pull egeria image
+      when: force_pull_images == 'true'
+      community.docker.docker_image:
+        name: "{{ egeria_image }}"
+        force_source: true
+        source: pull
+
+    - name: Egeria container
+      community.docker.docker_container:
+        name: egeria
+        state: started
+        restart_policy: unless-stopped
+        recreate: "{{ recreate_egeria_container == 'true' }}"
+        image: "{{ egeria_image }}"
+        pull: true
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+        ports:
+          - "{{ egeria_listen_port }}:4040"
+        env:
+          GITHUB_APP_PRIVATE_KEY: "{{ github_app_private_key }}"
+          GITHUB_APP_ID: "{{ github_app_id }}"
+          GITHUB_INSTALLATION_ID: "{{ github_installation_id }}"
+
+    - name: Configure egeria vhost
+      ansible.builtin.template:
+        src: "egeria.conf.j2"
+        dest: "{{ proxy_nginx_conf_base_dir }}/{{ proxy_nginx_vhost_dir }}/{{ proxy_nginx_vhost_filename }}.conf"
+        owner: "{{ proxy_nginx_user }}"
+        group: "{{ proxy_nginx_group }}"
+        mode: "0644"
+      vars:
+        server_name: "{{ egeria_server_name }}"
+        egeria_port: "{{ egeria_listen_port }}"
+        http_listen_port: "{{ proxy_nginx_vhost_http_listen_port }}"
+        https_listen_port: "{{ proxy_nginx_vhost_https_listen_port }}"
+        egeria_upstream: "{{ proxy_egeria_upstream_name }}"
+        ssl_certificate: "{{ proxy_ssl_certificate_path }}"
+        ssl_certificate_key: "{{ proxy_ssl_certificate_key_path }}"
+      notify:
+        - Restart nginx
+  roles:
+    - role: geerlingguy.certbot
+      become: true
+      when: enable_certbot_certificate_provisioning == 'true'
+      vars:
+        certbot_create_if_missing: "yes"
+        certbot_create_extra_args: ""
+        certbot_admin_email: [email protected]
+        certbot_certs:
+          - domains:
+              - "{{ egeria_server_name }}"

egeria/ansible/requirements.yml

@@ -0,0 +1,9 @@
+---
+collections:
+  - community.docker
+  - community.general
+  - community.rabbitmq
+  - community.postgresql
+  - ansible.posix
+roles:
+  - name: geerlingguy.certbot

egeria/ansible/templates/egeria.conf.j2

@@ -0,0 +1,39 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+
+upstream {{ egeria_upstream }} {
+  server 127.0.0.1:{{ egeria_port }} max_fails=5 fail_timeout=60s;
+}
+
+server {
+  server_name {{ server_name }};
+  listen {{ https_listen_port }} ssl;
+
+  ssl_certificate {{ ssl_certificate }};
+  ssl_certificate_key {{ ssl_certificate_key }};
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+
+  location / {
+    allow all;
+
+    # Proxy Headers
+    proxy_http_version 1.1;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Cluster-Client-Ip $remote_addr;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # The Important Websocket Bits!
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://{{ egeria_upstream }};
+  }
+}